Employers are caught between a rock

In the wake of the Information Commission conference on the draft Data
Protection Code, Ben Willmott looks at pros and cons of the regulations

A conference organised by the Information Commission on the draft Data
Protection Code on employee monitoring appears to have raised more questions
than it has answered.

Employers hoped that the conference, which was part of an extended
consultation period on the draft code, would clear up the confusion surrounding
the monitoring of staff e-mail and Internet access at work and give
organisations a further chance to express their views on the subject.

Unfortunately, Information Commissioner Elizabeth France told delegates that
she is unable to address the perceived employee-bias of the code.

The draft code on the use of personal data in the workplace was published by
the commissioner in October last year to provide guidance for employers on what
they need to do to comply with the Data Protection Act 1998.

But Personnel Today has discovered that HR professionals still have an
opportunity to influence the revised Data Protection Code. France explained
that the commission will supply a copy of the new draft of the code to a select
number of organisations later this summer, including the CIPD. Concerned HR
professionals should contact the CIPD to see the final draft and make their
voices heard.

The problems

The CIPD, CBI and the British Chambers of Commerce have serious concerns
over whether employers will be able to comply with the code without damaging
their businesses, unless its content is significantly changed.

One of their worries is how organisations will be able to comply with all
the legal requirements of the code without breaching other legislation, such as
the Regulation of Investigatory Powers Act, the Lawful Business Practice Regulations
and the Human Rights Act.

Susannah Haan, legal adviser for the CBI, believes employers could find
themselves between a rock and a hard place as they try to comply with the
regulation.

"Companies are going to find themselves in a Catch-22 situation. They
will be damned if they do and damned if they don’t. They will either fall foul
of the Information Commissioner or be caught by a body such as the Financial
Services Regulator," Haan said.

For example, employers can only intercept e-mails in transit, under the Regulation
of Investigatory Powers Act, but once they have been read by the recipient, the
Data Protection Act may apply.

Haan said there are many examples relating to e-mail and Internet monitoring
that could cause businesses to suffer.

Problems could arise from staff using e-mail to order goods and services
that have not been authorised, and also because the monitoring of inexperienced
staff who could be sending out inappropriate advice is not allowed, even at
professional services companies such as accountants and law firms, where there
is a statutory requirement to check advice.

Haan used the example of the Law Society, which requires legal firms to
ensure that someone who has been qualified for at least three years checks all
outgoing mail.

Other concerns over unchecked use of e-mail and the Internet include
defamation, transmission of viruses, infringement of copyright and giving away
sensitive commercial information.

Diane Sinclair, employee relations adviser for the CIPD, agrees with many of
the criticisms levelled by Haan. She said, "We want to see substantial
changes to the draft code, as we believe that, among other things, it is
inconsistent with good people management practices. It is far too long, too
prescriptive and totally unrealistic to believe organisations will be able to
readily comply."

The British Chambers of Commerce claims the draft code is too wide ranging
and protects the rights of employees at the expense of employers.

Under the code, employers have to inform their staff when they are going to
monitor them and they can only check e-mail content if there is a specific
business case to do so.

Sally Low, senior policy adviser for the BCC, said, "It should strike a
balance between the needs of employers running a business and the right of
employees to privacy.

"What we have put forward is that provided employees are warned at the
start of their employment that they will be monitored and given information
about the nature of the monitoring, then that should satisfy the legal
obligations of employers.

"As far as business is concerned, the draft code goes far beyond the
remit of the act."

The defence

The Information Commission has promised to make sure that the final draft of
the code will be simplified and will not clash with other existing legislation.

Dave Clancy, strategic policy officer for the Information Commission, told
Personnel Today the code was simply a guide to help employers comply with the
Data Protection Act without breaching other regulations," he said.

"It also gives employers an overview of how to comply with the act in
light of the other regulations. A lot of people seem to think that the code is
bringing in more regulation by the back door, but it is not, because the act is
there already," he added.

Assistant Information Commissioner David Smith said at the conference that
the draft code would provide "seamless guidance" on monitoring
e-mails, linking the act to the regulations launched in October. He also said
HR staff must be clear on how to implement the guidance.

James Davies, a partner at law firm Lewis Silkin, who attended the
conference, accused the business community of shooting the messenger. "I
have a lot of sympathy for the Information Commissioner. She is only setting
out her view of the law. It is the law that imposes these obligations that the
business community finds so onerous."

The Information Commission intends to publish the code in four sections. As
in the original draft, there will be best practice advice alongside the legal
guidelines, which employers will have to comply with.

Clancy said, "The code is aimed at HR managers from medium and large
companies. We aim to produce a code of practice for all levels of people and
business to educate people on their rights and obligations."

Why employers are unhappy with the code

Employers say they are unhappy about the draft code of practice because:

– They will struggle to comply with the requirements of the draft Data
Protection Code as well as existing legislation like the Human Rights Act and
the Regulation of Investigatory Powers Act

– The draft code is too prescriptive and does not take into account the
needs of different businesses

– Too much emphasis is placed on the rights of employees at the expense of
employers’ rights

– Some of the draft code’s requirements are not practical, for example, it
proposes sickness records should only be kept by the employer, subject to an
employee’s consent